CVE-2015-10148

HIGH

Hirschmann HiLCOS Hard-coded Credentials SSH SSL Keys

Title source: cna

Description

Hirschmann HiLCOS devices OpenBAT, WLC, BAT300, BAT54 prior to 8.80 and OpenBAT prior to 9.10 are shipped with identical default SSH and SSL keys that cannot be changed, allowing unauthenticated remote attackers to decrypt or intercept encrypted management communications. Attackers can perform man-in-the-middle attacks, impersonate devices, and expose sensitive information by leveraging the shared default cryptographic keys across multiple devices.

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory

https://assets.belden.com/m/76d31798e65c9f47/original/Security-Bulletin-SSH-SSL-Default-Keys-HiLCOS-Hirschmann-BSECV-2015-12.pdf

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/hirschmann-hilcos-hard-coded-credentials-ssh-ssl-keys

Scores

CVSS v3 8.2

EPSS 0.0029

EPSS Percentile 20.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-321

Status published

Products (6)

Belden/Hirschmann HiLCOS < 8.60

Belden/Hirschmann HiLCOS < 8.80

Belden/Hirschmann HiLCOS < 9.00-RU1

Belden/Hirschmann HiLCOS 9.00 - 9.00-RU1

Belden/Hirschmann HiLCOS 9.10

Belden/Hirschmann HiLCOS >= 9.10

Published Apr 03, 2026

Tracked Since Apr 04, 2026